Navigation

Set up Database Auditing

On this page

Note

This feature is not available for M0 (Free Tier), M2, and M5 clusters. For more information, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Overview

Auditing allows administrators to track system activity for deployments with multiple users. Atlas administrators can select the actions that they want to audit, as well as the the MongoDB users, Atlas roles, and LDAP groups whose actions they want audited. Atlas supports auditing all system event actions documented at Audit Event Actions, Details, and Results.

The authCheck event action logs authorization attempts by users trying to read from and write to databases in the clusters in your project. The following specific commands are audited:

authCheck Reads authCheck Writes
aggregate aggregate
mapReduce mapReduce
distinct delete
eval eval
count findAndModify
geoNear insert
geoSeach update
group resetError
find  
getLastError  
getMore  
getPrevError  
parallelCollectionScan  

Atlas implements the authCheck event action as the following four separate actions:

Event Action Description
authChecksReadFailures The authCheck event action for all failed reads with the auditAuthorizationSuccess parameter set to false. This is the default for read-related event actions.
authChecksReadAll

The authCheck event action for all reads, both sucesses and failures. Same as authChecksReadFailures but with the auditAuthorizationSuccess parameter set to true.

Warning

Enabling Audit authorization successes can severely impact cluster performance. Enable this option with caution.

authChecksWriteFailures The authCheck event action for all failed writes with the auditAuthorizationSuccess parameter set to false. This is the default for write-related event actions.
authChecksWriteAll

The authCheck event action for all writes, both successes and failures. Same as authChecksWriteFailures but with the auditAuthorizationSuccess parameter set to true.

Warning

Enabling Audit authorization successes can severely impact cluster performance. Enable this option with caution.

See Audit Guarantee for information about how MongoDB writes audit events to disk.

Procedure

Use the following procedure to set up database auditing:

1

Log in to your Atlas project.

2

Click Security, then click Enterprise Security.

3

Toggle the button next to Database Auditing to On.

4

Select the MongoDB users, Atlas roles, and LDAP groups whose actions you want to audit in Select users and roles.

Alternatively, click Use Custom JSON Filter to manually enter an audit filter as a JSON string. For more information on configuring custom audit filters in Atlas, see Configure a Custom Auditing Filter.

5

Select the event actions that you want to audit in Select actions to audit.

Note

When selecting the authorization success granularity of auditing for the authCheck event action, Atlas does not support different selections for reads and writes. For example, you may not select Successes and Failures for authCheck Reads and Failures for authCheck Writes. If you select both authCheck Reads and authCheck Writes, Atlas automatically applies your selected granularity to both.

6

Click Save.

To retrieve the audit logs in Atlas, see MongoDB Logs. To retrieve the the audit logs using the API, see Logs.